[VIM] my dispute: Submit ( ToendaCMS<= ( Remote File Include Vulnerabilities )

Stuart Moore smoore at securityglobal.net
Tue Aug 29 18:34:57 EDT 2006


In the bugtraq message "Submit ( ToendaCMS<= ( Remote File Include 
Vulnerabilities )" by "h4ck3riran at yahoo.com", the report claims several 
include file issues.

One is:

 > < #CodE:  include($site.'.php');
 > < # Expolit :
 > < # http://Www.Site.coM/[path]/setup/index.php?site=Sh3ll

But, in '/setup/index.php' the code actually says:

 > 		switch($site){
 > 			case 'language':
 > 				include($site.'.php');
 > 				break;
 > 			default:
 > 				include('inc/'.$site.'.php');
 > 				break;
 > 		}

So, yes the code includes [$site].php, but only if case 'language'.  In 
any other situation, it includes 'inc/[$site].php'.  So, no it can't be 
exploited to point to a remote URL.  But, interestingly, this appears as 
if it can be used to traverse the directory and include other files with 
a ".php" extension on the local system.  This being a setup script, I 
don't know if you'd leave it up on an active system.

The report also claims:

 > < # CodE :   require($tcms_administer_site.'/tcms_global/database.php')
 > < #Expolit :
 > < #http://Www.Site.coM/[path]/media.php?tcms_administer_site=Sh3ll

but the '/media.php' code says:

 > $tcms_administer_site = 'data';
 > require($tcms_administer_site.'/tcms_global/database.php');

The other claims are relate to 'tcms_administer_site' (which, for 
'index.php', was debunked by Carsten Eilers on Aug 24th).  I didn't 
check all of these out, but if I had to guess ...


More information about the VIM mailing list